It was found that xrdb, the X server resource database utility, did not properly sanitize system host names, containing shell escape characters, during launch of user graphical session (when the display manager retrieved the system host name from resource database via xrdb). When the display manager was configured to listen for X Display Manager Control Protocol (XDMCP) messages, a remote attacker could use this flaw to remotely execute arbitrary code with the privileges, of the user running the display manager (usually privileged system user, root). On systems, where the XDMCP messages were disabled and the system was configured to retrieve its host name from remote DHCP server, a rogue DHCP server could use this flaw to possibly execute arbitrary code with the privileges of the user running the display manager (usually root) via a specially-crafted host name assigned to the victim host in question. Note: ===== The display managers, shipped with Red Hat Enterprise Linux 4, 5, and 6 do not listen for remote XDMCP messages in the default configuration, which mitigates this security flaw to be exploitable only by rogue remote DHCP servers. The display managers, shipped with Fedora release of 13 and 14 do not listen for remote XDMCP messages in the default configuration, which mitigates this security flaw to be exploitable only by rogue remote DHCP servers.
Public now via xrdb release 1.0.9: http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html http://lists.freedesktop.org/archives/xorg-announce/2011-April/001635.html Upstream commit: http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56
Acknowledgements: Red Hat would like to thank Matthieu Herrb for reporting this issue. Upstream acknowledges Sebastian Krahmer of the SuSE Security Team as the original reporter.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:0433 https://rhn.redhat.com/errata/RHSA-2011-0433.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0432 https://rhn.redhat.com/errata/RHSA-2011-0432.html
Source files for RHSA-2011-0433 are missing from ftp.redhat.com.
(In reply to comment #9) > Source files for RHSA-2011-0433 are missing from ftp.redhat.com. Corrected now.
It looks like the patch that was created for the RHEL6 build didn't quite match the upstream changes. Here is what the upstream patch section looked like: @@ -449,8 +457,9 @@ AddDefQ(String *buff, char *title, char *value) else #endif if (value && (value[0] != '\0')) { - AddDef(buff, title, "\""); - addstring(buff, value); + AddSimpleDef(buff, title); + addstring(buff, "=\""); + addescapedstring(buff, value); addstring(buff, "\""); } else AddDef(buff, title, NULL); This is what ended up in the new 7.4-15.el6.1 source RPM: @@ -411,7 +413,7 @@ AddDefQ(String *buff, char *title, char #endif if (value && (value[0] != '\0')) { AddDef(buff, title, "\""); - addstring(buff, value); + addescapedstring(buff, value); addstring(buff, "\""); } else AddDef(buff, title, NULL); This is causing a mismatched set of quotes for at least the VENDOR def: -DVENDOR=_Red Hat, Inc.\" And is causing xrdb to fail with the following errors: sh: -c: line 0: unexpected EOF while looking for matching `"' sh: -c: line 1: syntax error: unexpected end of file
I had the same problem (xrdb fail, as explained in Comment 11) but under 5.6 (Tikanga) after upgrading from xorg-x11-server-utils-7.1-4.fc6.i386 to xorg-x11-server-utils-7.1-5.el5_6.1.i386
Confirming that xrdb appears broken in both RHEL5 and RHEL6, giving just the error message cited in Comment 11.
Following bugs were created to track fixing of that regression: bug #696310, bug #696316 and bug #696317.